OpenSSH 10.4, released on July 6, 2026, introduces a series of critical security improvements and new features. The update is available for download via the official OpenSSH mirrors and aims to enhance the robustness of secure shell communications.
Security Enhancements in OpenSSH 10.4
This latest version addresses numerous vulnerabilities that were found in the core utilities. A significant fix in sftp(1) prevents malicious servers from redirecting files to unintended locations during operations. Similarly, scp(1) now includes corrections to stop unauthorized servers from writing files outside the designated directory during remote transfers.
Additional security repairs were applied to sshd(8) that deal with a bug causing silent data truncation in ‘internal-sftp’, which could compromise security options. Moreover, improvements have been made to enforce authentication delays, resolving issues previously identified by the Orange Cyberdefense Vulnerability Team.
Protocol and Feature Updates
OpenSSH 10.4 also introduces changes that enhance the security framework. For instance, the transport protocol now automatically disconnects peers sending non-KEX messages during key re-exchanges, mitigating potential memory exhaustion attacks. On Linux systems, failures in seccomp sandboxing are now fatal, requiring explicit disabling if kernel support is absent.
Furthermore, the sshd -G configuration mode now outputs in a mixed-case format, which may affect automated scripts. The update also debuts experimental post-quantum signature support combining ML-DSA 44 and Ed25519, although this feature is not activated by default.
Additional Improvements and Bug Fixes
The release includes a new NFA-based wildcard pattern matcher for ssh(1) and sshd(8), which resolves previous performance issues. Numerous bug fixes have been implemented, such as enhanced FIDO token key handling, and improved security in cryptographic operations.
Portability updates ensure synchronization with OpenBSD for specific files and resolve multiple memory leaks. These improvements contribute to the stability and security of the software.
Source packages for OpenSSH 10.4 can be downloaded and verified using provided SHA1 and SHA256 checksums, ensuring their integrity and authenticity.
